How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy¶

When you deploy your application, you may be behind a load balancer (e.g.
an AWS Elastic Load Balancing) or a reverse proxy (e.g. Varnish for
caching).

For the most part, this doesn't cause any problems with Symfony. But, when
a request passes through a proxy, certain request information is sent using
either the standard Forwarded header or X-Forwarded-* headers. For example,
instead of reading the REMOTE_ADDR header (which will now be the IP address of
your reverse proxy), the user's true IP will be stored in a standard Forwarded: for="..."
header or a X-Forwarded-For header.

If you don't configure Symfony to look for these headers, you'll get incorrect
information about the client's IP address, whether or not the client is connecting
via HTTPS, the client's port and the hostname being requested.

The Request object has several Request::HEADER_* constants that control exactly
which headers from your reverse proxy are trusted. The argument is a bit field,
so you can also pass your own value (e.g. 0b00110).

Some reverse proxies (like AWS Elastic Load Balancing) don't have a
static IP address or even a range that you can target with the CIDR notation.
In this case, you'll need to - very carefully - trust all proxies.

Configure your web server(s) to not respond to traffic from any clients
other than your load balancers. For AWS, this can be done with security groups.

Once you've guaranteed that traffic will only come from your trusted reverse
proxies, configure Symfony to always trust incoming request:

1
2
3
4
5
6
7
8
9
10
11

// public/index.php// ...Request::setTrustedProxies(// trust *all* requests (the 'REMOTE_ADDR' string is replaced at// run time by $_SERVER['REMOTE_ADDR'])['127.0.0.1','REMOTE_ADDR'],// if you're using ELB, otherwise use a constant from aboveRequest::HEADER_X_FORWARDED_AWS_ELB);

That's it! It's critical that you prevent traffic from all non-trusted sources.
If you allow outside traffic, they could "spoof" their true IP address and
other information.

Tip

In applications using Symfony Flex you can set the
TRUSTED_PROXIES env var:

1
2

# .envTRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR

If you are also using a reverse proxy on top of your load balancer (e.g.
CloudFront), calling $request->server->get('REMOTE_ADDR') won't be
enough, as it will only trust the node sitting directly above your application
(in this case your load balancer). You also need to append the IP addresses or
ranges of any additional proxy (e.g. CloudFront IP ranges) to the array of
trusted proxies.